The advent of the Internet dramatically facilitated exchange of data among computers. The Internet also provided unprecedented opportunities for telecommuting and mobile computing. Many companies, corporations, businesses and organizations allow remote access to their enterprise networks so that remote users can access resources on the networks. The enterprise network may be a secure corporate network or any other private network access to which is controlled by the enterprise.
Increasing access to information on the enterprise network raises an issue of ensuring security of the information. Different technologies exist to provide secure access to an enterprise network. For most private networks, some form of authentication is required before a remote client is allowed to access resources on the network. A remote entity, such as a remote client computer or a user having an account on a corporate network, which attempts to access resources on the network, typically provides authentication information.
A number of different mechanisms are used for secure access to resources on an enterprise network. DirectAcess is a remote access technology developed by Microsoft® Corporation that allows remote users to connect to an enterprise network when they have Internet access, without initiating a virtual private networking (VPN) connection. Unlike VPN, DirectAcess may automatically establish a bi-directional connection from a remote client computer to a corporate network. This allows the remote user to access internal network resources through an environment that provides the same user experience as the user would have in the office.
DirectAccess may use secure access mechanisms provided by network communication protocols such as, for example, Internet Protocol security (IPsec) over Internet Protocol version 6 (IPv6), to encrypt communications over the Internet.
A connection between a remote client, which may be a domain member of a corporate network, and the corporate network using DirectAccess may be established as a secure connection over one or more IPsec tunnels. The IPsec tunnels may be established between the remote client and a gateway server, referred to as a DirectAccess server, providing access to the corporate network. In this “end-to-edge” model of DirectAccess, once the remote client establishes one or more IPsec tunnels to the DirectAccess server, that server may then forward unprotected traffic to the corporate resources. In another model of implementing DirectAccess, which is referred to as an “end-to-end” model, the remote client may establish an IPsec session with each resource on the corporate network to which the client connects. In this way, communications between the remote client and a corporate resource may be protected while traversing both the Internet and the corporate network. Other models of DirectAccess may be implemented as well, including combinations of the above “end-to-edge” and “end-to-end” models.
To track, monitor and control clients accessing resources on an enterprise network over a remote network access connection, a network administrator may utilize information obtained in conjunction with such accesses. When a remote client computer connects to an enterprise network using DirectAccess, multiple security associations may be formed for interactions between the client computer and resources on the enterprise network. Multiple security associations may complicate monitoring remote network access.